How to prevent a users editing other profiles other than own in MVC.NET Web Application?

Question

We want to prevent other users from editing other users profile, still allowing a superUser to manage all profiles. I don't know the best way of doing this, I am sure I can accomplish it, I am mainly looking for the best way or best approach.

I thought about putting an IF before the line below that will show that line in that condition, but I don't think that is the best way, since other users might guess the edit url like: domain.com/user/edit/5 for example.

    <%=Html.ActionLink("Edit", "Edit", new { id=Model.UserID }) %>

We are using: ASP.NET MVC, SQL Database, and ADO.NET for database. Also: OpenID subscription.

Answer 1

You'll need to write some code in the controller action. Basically something like:

MembershipUser user = Membership.GetUser();

if (!User.IsInRole("Administrator") && (user.ProviderUserKey != id))
  return View("Unauthorized");

In your case for OpenID, it will work pretty much the same. Assume this is pseudocode:

var user = GetLoggedInUser();

if (!IsAdmin(user) && (user.UserID != id))
  return View("Unauthorized");

where GetLoggedInUser gets the user object for the current user, and IsAdmin figures out if a user object is an admin.